I'm not very young; probably older than you. My surprise arises not by the fact that US Government commits "sins", but for the supposed backdoors are not detected. I thought the main strength of Open Software was that the code is open for everybody, then things like backdoors aren't possible.

It is also possible that is just a FUD manoeuvre.

Regards.

Luis_P

slam

Post subject:Posted: 19.12.2010, 12:15

Team Member

Joined: 1970-01-01
Posts: 607
Location: w3
Status: Offline

Well, OpenBSD always was a small project, and those working on the IPsec protocols haven been and still are just a hand full of people. So, the self regulation/cleaning - "security by obscurity" never did work out that well, it simply needs more people to work (e.g. the Linux kernel).

As far as I have understud, the backdoor is not generally usable, but did target a single dedicated network (EOUSA). The target has reacted long time ago, so these backdoors are useless since long time. What came out now will however damage the reputation of BSD in general.

This finally explains of course why OpenBSD was pushed by the FBI as "the most secure solution", to be used in many government bodies and agencies. The same time they told everyone that Linux is not secure.

Linux or Open Source isn't bulletproof against these kind of "attacks", how should it? It's like saying that a Ghost goal is impossible because we have additional referees. Its just less likely.
And I can still buy (with enough money) all referees to "influence" the outcome…

Furthermore bugs are in general not marked as bugs. They are hard to find and if someone wants to hide a bug in the code he can do it (most of the time this "someone" doesn't want to hide a bug, he just adds a bug without knowing it). With more and more people looking at it, it becomes harder to hide the bug and if a certain threshold is reached the bug is found -- at this point the real strength of open source comes into play: It's not that everyone can find a bug only in open source - you can do that in closed source programs, too (you have not all options, but at least a few), it's "just" that everyone can look at the code to fix it…

_________________MfG. DonKult
"I never make stupid mistakes. Only very, very clever ones." ~ The Doctor

A lot of "he said, she said" but still waiting for "I have examined the source code and find the following: "

jaegermeister

Post subject:Posted: 21.12.2010, 14:44

Joined: 2010-09-16
Posts: 28

Status: Offline

The whole story is currently under investigation by the OpenBSD dev team, looks like that some of the claims were just FUD (they went to the cvs tree log and found just some pure debugging done by one mentioned guy), still the story is not yet defined and further notice will for sure emerge.

Also, looks like that, being those "contributions" quite old, should they be present in those terms, they might not work with the current tree structure.

that could be true for any os. microsoft-nsa relation is known (& proven) so far, but with so many auditors working for big corps/multinationals like the ones that block freedom of speech(wikileaks.. and so.. ) noone can be sure.
and most of us dont have the -tech- skills to audit the code ourselves.
so in my opinion, the same thing could happen in any os where commits come from such people.
their practices in every other aspect of their activities, make me believe so.